Assurance

[Brett Bieber <>]

David Walker drew my attention to this Executive Order from the President of the United States, issued last Friday, October 17th. If you read the tea leaves as I do, one item could relate to the InCommon Federation, and the Assurance Program.

Here's an excerpt, with the bolded portion I'm focusing in on:

Sec. 3. Securing Federal Transactions Online. To help ensure that sensitive data are shared only with the appropriate person or people, within 90 days of the date of this order, the National Security Council staff, the Office of Science and Technology Policy, and OMB shall present to the President a plan, consistent with the guidance set forth in the 2011 National Strategy for Trusted Identities in Cyberspace, to ensure that all agencies making personal data accessible to citizens through digital applications require the use of multiple factors of authentication and an effective identity proofing process, as appropriate. Within 18 months of the date of this order, relevant agencies shall complete any required implementation steps set forth in the plan prepared pursuant to this section.

The document referenced, the 2011 National Strategy for Trusted Identities in Cyberspace, is an interesting read, and connects this executive order with the Assurance project (in my mind). That document doesn't mention specifications such as NIST Levels 1 (Bronze), 2 (Silver), 3, 4, directly, but instead generalizes the importance of common standards, requirements, & accountability.

An excerpt from that document:

…identity solutions should be scalable across multiple communities, spanning traditional geographic borders. Interoperable identity solutions will allow organizations to accept and trust external users authenticated by a third party. Identity solutions achieve scalability when all participants in the various identity federations agree upon a common set of standards, requirements, and accountability mechanisms for securely exchanging digital identity information, resulting in authentication across identity federations.

The InCommon Federation is one such identity federation community, and we have the Identity Assurance Profiles of Bronze & Silver — an agreed upon set of standards, requirements, and accountability mechanism.

We should anticipate that our researchers interacting with the NSF and NIH may have some changes coming, but depending on how you define "all [government] agencies" — this could have some impact for our campuses.

This executive order may be the external pressure we need to support Bronze & Silver levels of assurance, with multi-factor authentication.

--

Brett Bieber
http://go.unl.edu/bieber
University of Nebraska-Lincoln